WordPress 2.3 Does Not Spy On Users [UPDATED]

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Surprised/

[Captain Splendid (673276)]

You shouldn't be. Developers gotta eat.

Re:Surprised/

[gclef (96311)]

Crow isn't very nutritious.

Re:

[beavis88 (25983)]

Yep. I hope for Matt's sake that crow is a tasty meal.

Re:

[jimstapleton (999106)]

kindof actually, both at the summary, and the fact that the guy would bother...

"Popular open-source blogging engine WordPress has been upgraded to 2.3 -- with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not pro

Re:

[Smidge204 (605297)]

I think what was meant is: There is no "off switch" for the "feature". If you want to disable it, you have to manually track down all the code that enables the functionality and remove it yourself, as opposed to unchecking a box on an adminstration page or editing a line in a config file.

=Smidge=

Re:Surprised/

[ZaMoose (24734)]

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check [wordpress.org] and disable plugin version check [wordpress.org], both of which were mentioned by Matt in the thread above.

Re:

[KlomDark (6370)]

Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

What if someone has an issue with this information being transmitted? What if WP transmits the info before they are able to install the plug-in?

Guys, the issue here is not what info is being sent, it's that the information is being transmitted without asking for permission of the person running WP.

However, one of the best points brought up in the mailing list about what info is being sent is t

Re:

[ZaMoose (24734)]

Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

This is likely to occur in version 2.3.1. In fact, I'm advocating [wordpress.org] for just such a change, in true Open Source fashion.

The problem here is less one of malice and more one of poor timing. The WordPress project has been trying to stick to a rigorous, rigid schedule for releases (see: Fedora Project, Ubuntu, etc.) and this issue cropped up about 1.5 days before release. You can argue that the r

Re:

[Joebert (946227)]

Gives new meaning to the term Web Monkey.

Suggestion

[by Anonymous Coward]

He can go fork himself.

Fork

[Spy der Mann (805235)]

Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...

Alternatives, in that case?

[Spy der Mann (805235)]

Wow - to think that such a popular blogging engine is so flawed...

Anyway, i googled and found this link:

http://www.mitchelaneous.com/2007/09/19/9-wordpress-alternatives/ [mitchelaneous.com]

9 WordPress Alternatives

September 19, 2007 at 7:16 am Web Development

No doubt that WordPress is the king of the hill when it comes to content management these days. It seems like in a lot of people's eyes they can do no wrong. There have to a few other choices out there though right?

Now don't get me wrong, I am totally happy with Wordpress - but, there are several cool alternatives that might be worth checking out for your next web project.

Drupal - Drupal is a little more of a WordPress on steroids. Lots of goodies and better membership system in place too.

AJAXPress - A little buggy by looking at the demo but will become a better idea once it has had more time to get polished.

Textpattern - Flexable and open source blogging solution - much of the same WordPress look and feel.

Serendipity - This is a PHP-powered weblog application which gives the user an easy way to maintain a weblog or even a complete homepage.

Joomla - Like Drupal, might be too feature rich for the casual blogging fan - but a good engine for in depth web sites or basic blogs.

b2evolution - An old one, but still a good one - and can hold it's own weight still with the other selections out there.

Simplog - Simple, yet powerful - the name says it all here. You want basics without the fluff - go with Simplog.

Wikiblog - This one tries to mix the blogging and wiki sides of things into an interesting mashup of content creation.

Sblog - Another one similar to WordPress, looks like it is playing catchup too. Once it gets there though, might be worthy competition.

There you have it - nine other tools you can use to get your content published and your articles out there to the world. Have one I missed?

Now, my question is - how secure are they for you, sethawoolley? Which one would you choose?

This thread would be longer...

[My name is Bucket (1020933)]

...But people are busy checking their posts from the "Sony DRM" thread last month to make sure they don't look like hypocrites.

fork

[rodentia (102779)]

telling users to 'fork WordPress'

Consider it done.

I nominate the fork name to be:

[jbeaupre (752124)]

PrivatePress

well

[stoolpigeon (454276)]

one way to disable it is to go into the code and remove the offending portion. couldn't be that hard to do. and once somebody does it and posts instructions, it gets even simpler. no reason to fork the project.
 
and wordpress isn't that complicated that this is something that no one but the most hard core will do. tons of wordpress users regularly go in and tweak it for their own uses. i haven't moved to this new versions with my site yet - i always wait a bit for things to shake out, and stuff like this is why. when i do upgrade, i'll just fix my install.

Re:

[SamP2 (1097897)]

"one way to disable it is to go into the code and remove the offending portion."

Or take the even easier path and set up your firewall to block all packets from this application.

But neither of those options solve the underlying problem - the whole point of FLOSS is to prevent this from happening in the first place. If I have to take any extraordinary steps to secure myself against a free software application I'm using, if I have to go and turn an enemy into a friend through manual effort and each other user

Re:

[GeckoX (259575)]

Not the right answer. Fork is better.

Why? Well anything else is supporting this developers decision, albeit indirectly.

He has every right to decide to do this, but users have every right to not use his code.

Let him be right and eat crow at the same time.

Ignorant bugger needs to learn a few hard lessons apparently.

Re:

[trolltalk.com (1108067)]

"> you fixed it for people running wordpress on a machine where they have root privileges. which i'm sure is a good number, but i'm not in that group. thanks anyway."

In that case: fgrep -n 1 "api.wordpress.org" *.php > lines_of_code_I_might_want_to_change.txt

Guys, the information is all really essential...

[nweaver (113078)]

So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables

How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

And the blog URL tells you who it is.

Windows Update has to send far MORE intrusive information.

Re:Guys, the information is all really essential..

[by Anonymous Coward]

Why can't they download a file with a list of "all updates" and check locally?

Re:

[ZaMoose (24734)]

The thinking was (as per Matt's post):

The system was designed to keep the client side as light as possible so
the heavy lifting can be done on the server side, allowing us a lot more
flexibility and agility in adapting the service as it gets rolled out
and evolves.

For example right now nothing is done with regards to localization, but
because of the data being sent and the lightness of the client side we
could introduce that feature in the future without having to update
every install of WordPress in the world. T

Re:Guys, the information is all really essential..

[Otter (3800)]

At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?

Re:Guys, the information is all really essential..

[Billosaur (927319)]

It isn't what information they are looking at but how. If they want the information and it will make the software better, fine, but do they really have to go about it in such a sneaky and under-handed way? Even Microsoft allows you to control how your system is updated (I never let it run automatically; I prefer to know what it's trying to put on my system.). As to the "fork" comment, while I thin the generic blogging community will be clueless and have no idea what this is all about, this will drive the OS

Re:Guys, the information is all really essential..

[ObsessiveMathsFreak (773371)]

How is this information not necessary for a robust autoupdating/autonotifying infrastructure?

Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.

There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with

Pyblosxom

[Marcion (876801)]

Well if anyone is looking for an alternate upgrade path, I 'upgraded' my blog from Wordpress 2.2 to Pyblosxom and am really enjoying using it:
- its really light and fast
- I can edit posts in a text editor rather than a web based interface
- its in Python and very easy to customise
- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.

Plug over... Move along...

That product is doomed

[multipart/mixed (163409)]

Can you imagine the water cooler conversation about Pyblosxom? How the hell are they supposed to go back and google about it? That'd be like trying to google for the symbol that represents the artist formerly known as Prince.

I mean, really, WTF. They might as well have named it slakdfjalskdjflaskjdf!

Breathless Hyperbole.

[Some guy named Chris (9720)]

Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.

Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.

The submitter should be ashamed.

Re:Breathless Hyperbole.

[vux984 (928602)]

Matt Mullengweg is not being reasonable. He should simply make it an option. without requiring users to fork or install plug-ins or hack to overcome defective-by-design features.

It should be easy to turn on and off.
It should default to off.
It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.

There is no good reason the above cannot or should not be accomodated.

Re:

[Tom (822)]

It should be easy to turn on and off.
It should default to off.

There are some times were default off is not useful.

If windos auto-update would conform to those standards, we'd have a billion spam bots out there.
Instead of the half-a-billion we have now.

Re:Breathless Hyperbole.

[kwandar (733439)]

I agree. Matt Mullenweg based on what I read (and I don't use Wordpress or know Matt or anyone else there) was very reasonable, and laid out the reasons for this. Did the slashdot editor even read this?!

Isn't this the point of FOSS?

[Enlarged to Show Tex (911413)]

If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.

OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...

What Matt wrote

[imaginaryelf (862886)]

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Re:What Matt wrote

[GeckoX (259575)]

Well, shit, that's not even close to what was insinuated in the summary.

Thanks for your flamebait kdawson, really mature and appreciated.

WTF.

Rip out the code?

[e2d2 (115622)]

It doesn't provide you a way to stop it? Hardly. They provide full source code under GPL. Rip it out, publish changes, DONE.

Fork we shall

[businessnerd (1009815)]

This is once again proof that the open source model is a good thing for users and protects us from unknowingly being used as pawns. The win is two fold here. First, the source was open, so that it was available for audit by anyone. This appears to be how this functionality was discovered. Someone noticed what the code was doing and raised a red flag. Now the users are aware and can make a choice in whether they will make the upgrade, not make the upgrade or turn to a new application. In the closed source world, often we are unaware of "unsavory code" while we use it for some time, all the while being subjected to its unsavory effects.

The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it.

Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.

This is SENSATIONALISM (not Sparta)

[Laebshade (643478)]

When I first read the summary, I was a little worried. Then I went and read the actual reply in the WordPress Hackers mailing list Matt posted, and I was relieved. He points out that the blog name and URI has been sent to services like Ping-o-Matic (wordpress-run service) for 4 years now. For those wanting to disable it, he even posts links for plugins that will disable the feature of the 'update checker'. Seems to me this slashdot article was posted by someone who wants to take WordPress down. Here's a part of his post:

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

As to what the summary refers to, where Matt suggests a person fork Wordpress:

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.

This is making something out of nothing. Definitely nothing to see here, please move along.

Re:

[illumin8 (148082)]

Your blog URL is completely harmless.

> We only have your word for that. And sorry, that is not enough
> for me. Especially if it does not have to be.

LOL... I almost spit my coffee on the keyboard when I read this. I think some bloggers need to take off their tinfoil hat and step away from the keyboard... If you don't want anyone to find out your blog URL, then WTF are you doing blogging? Isn't the whole point for as many people as possible to find your blog URL?

Why is this even an issue?

[gillbates (106458)]

You have the source code, right?

If you don't like the way the software behaves, you can change it. This is one of the fundamental freedoms the FSF endorses. In fact, I would say this is a perfect example of the open source model in action:

1. User doesn't like a feature of the software.
2. User disables feature in source code, recompiles, and improves the software.

The sad thing is that Microsoft and other proprietary vendors have been so successful at convincing the general public that they should be a

Where did he say to just go fork?!

[kwandar (733439)]

Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?

So - did I miss something, or did everyone else not RTFA?

The Actual Quote

[michaelkpate (260010)]

Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005 [google.com]

> If you don't trust wordpress.org, I suggest you do one of the following:

> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.

Don't worry

[m4g02 (541882)]

As a rule spying on users shouldn't be a security concern as long as the person/corporation spying is honest, just and only concerned on improving their software and the user experience...

So... As a rule spying on users is always a security concern =P (name it WordPress or Windows Update).

Google Cloaking

[Trillan (597339)]

For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking [theregister.co.uk] in 2005. Once someone loses your trust, you don't really want to share any data with them.

Summary Is A Troll

[bmo (77928)]

And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.

Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.

--
BMO

I'm glad Matt updated us on this...

[Mr.Fork (633378)]

Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.

Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!

Re:

[Laebshade (643478)]

The "fork wordpress" comment by Matt is taken out of context. See the link in the summary [google.com] and do a ctrl+f search for "Matt Mullenweg".

Re:

[vux984 (928602)]

The versions it reports are for an autoupdate feature...

And everyone knows that this can done equally well by having the client request the current version number, and then the client can decide based on that whether an upgrade is needed. There is no reason for the server to need to know the version number to support an autoupdate feature.

and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysq

Re:

[thenextpresident (559469)]

Dear god, you know that your slashdot comments show your URL?!?? You'd better stop there!

Thank you Mr. Did-Not-Read-The-Fscking-Article.

I thought...

[WED Fan (911325)]

I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.

Re:

[syrinx (106469)]

Ironically, I was considering global site licenses of this product for our public relations agency. Thanks for dropping out of the running!

I hope you actually read the article, and put some consideration into it, and aren't basing a business decision on a flamebait Slashdot summary.